Symbolic Model Checking and OBDDs

This section introduces ordered binary decision diagrams (OBDDs) [Bry86, McM92, BCM+_92, HR04]. They are extremely useful in automatic verification because they mitigate the state explosion problem by reducing the problem of checking whether or not a given structure M is a model for a given formula ϕ to the problem of comparing two OBDDs.

OBDDs represent Boolean functions in a compact way. Boolean functions are defined on Boolean variables. Therefore, Boolean formulas can be seen as Boolean functions. For every

x

₁

x

₂

x

₂

x

₃

x

₃

x

₃

x

₃

x

₄

x

₄

x

₄

x

₄

x

₄

x

₄

x

₄

x

₄

0

0

0

0

0

0

0

0

0

0

0

0

0

1

1

1

1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

Figure 2.2: A BDT representing the formula x1∧ x2∧ (x3∨ x4).

x

₁

x

₂

x

₃

x

₄

1

0

1 1 0 1 1 0 0 0

2.5. Model checking 37

Boolean function f (x1, . . . , xn), it is possible to associate a specific diagram, called BDD, by labelling each node of the diagram with a Boolean variable.

Definition 2.25 (BDD). [HR04]

A BDD (Binary Decision Diagram) D is a rooted, directed, acyclic diagram in which each node has exactly two edges to successive nodes. D describes a unique Boolean function. In D a fixed assignment to its Boolean variables is given. We start from the root and follow the edge labelled with 1 if the current variable takes the value 1. Similarly, we proceed for value 0. We travel along the tree in a up-bottom fashion until reaching a terminal node that represents the value of the Boolean function.

A binary decision tree (BDT) is a rooted, directed, acyclic tree in which each node in the tree has exactly one predecessor. In a BDD it is possible that more than one node has the same successor. This cannot happen in a BDT.

Figure 2.2 shows a BDT describing the Boolean function f (x1, x2, x3, x4) = x1∧ x2∧ (x3∨ x4). Notice that the BDT contains many redundancies, while the BDD shown in Figure 2.3 is a more compact representation.

An ordered-BDD (OBDD) is a BDD with a fixed ordering on a list variables x1, . . . , xn of a Boolean function f .

There are several algorithms to reduce OBDDs. One of those is called the algorithm reduce [HR04]. This algorithm traverses the OBDD in input layer by layer starting from the terminal nodes and moving up toward the root. The procedure reduce labels each node n with an integer id(n) in such a way that two nodes which are the roots of two identical sub-diagrams get the same integer label. Let low(n) to be the left successor of n and hi(n) be the right successor of n. Let us assume that the algorithm reduce has already labelled all nodes of a layer i + 1. At the level i, three different situations can occur:

1. If id(hi(n)) = id(low(n)) then reduce labels the node n with id(n) (i.e., the node n makes a redundant check).

2. If there is another node m representing the variable of n with id(low(n)) = id(low(m)) and id(hi(n)) = id(hi(m)) then reduce labels the node m with id(n) (i.e., the two nodes m, n compute the same Boolean function).

3. If the two previous cases do not occur then the algorithm reduce labels the node n with a new integer.

Finally, two sub-diagrams rooted at nodes n and m labelled with the same integer are merged together. An OBDD D is called reduced-OBDD (ROBDD) if we have applied the algorithm reduce to D. Therefore, in D no further reduction can be performed.

ROBDDs have been successfully used in model checking. The field of model checking that uses binary decision diagrams is called symbolic model checking. The method used in symbolic model checking is the following one:

1. Two ROBDDs are built; one for the specification ϕ and the other one for the model T = (S, t, V ).

2. By comparing the two diagrams is it possible to establish whether the specification ϕ holds in the model T .

The technical details of symbolic model checking technique are discussed below [HR04]. Representing subsets of the set of states. Given a model T = (S, t, V ), the goal is to use Boolean functions and therefore ROBDDs to represent subsets of the set S. Each state s ∈ S is represented by a Boolean vector of values x = (x1, x2, . . . , xn), where xi ∈ {0, 1}, ∀i ∈ {1, . . . , n}. Each vector x is described by a Boolean formula f represented by a conjunction of variables or their negations. Subsets of states are described by a Boolean formula F made of the disjunction of Boolean formulas f , where each f represents a single state. For instance: given two states s1 = (1, 0) represented by f1 : x1∧¬x2 and s2 = (1, 1) represented by f2 : x1∧x2, a set S = {s1, s2} is represented by the Boolean function F : (x1∧ ¬x2) ∨ (x1∧ x2).

Representing the transition relation. The transition relation t is a subset of the Cartesian product S × S. Therefore, a single transition t(s, s′) from s to s′ can be represented by pair of Boolean vectors (x, x′_{), where the first vector x represents the state s, and the second vector x}′ represents the state s′_{. Finally, a Boolean formula f : x ∧ x}′ _{represents the transition t(s, s}′_). The entire transition function t is represented by the disjunction of all formulas f .

The labelling algorithm and Boolean formulas. The labelling algorithm operates on the structure of a formula φ and builds the set [φ] of states at which the formula is satisfied. All the

2.5. Model checking 39

operations on sets can be represented by Boolean connectives. The union (intersection) of two sets is represented by the connective ∨ (∧). Given two set A, B, the complementation A − B is represented by the conjunction of the Boolean formula representing A and the Boolean formula representing ¬B. The existential quantification of a state s ∈ S is represented by the Boolean formula ∃x(fS) where x is the vector representing the state s, and fS is the Boolean formula representing S.

Given a Boolean function f (x1, . . . , xn) of n variables and a fixed ordering of its Boolean variables x1, . . . , xn, it is shown by Bryant that the reduced OBDD for f (x1, . . . , xn) is unique [Bry86]. Therefore, in order to establish whether a formula φ holds in a model T we can just compare the structure of the ROBDD for the formula φ with the structure of the ROBDD for the model T .

Symbolic model checking has been also used for the verification of CTLK-specifications in [LP07b].

In document Abstraction in Model Checking Multi-Agent Systems (Page 54-57)